Wednesday, October 21, 2015 

Security, Exceptions and logging

Types of exceptions:
1. Programming - like null pointer exceptions caused becuase of your code.
- These should never be caught.
2. Client code errors: XML parser fed with bad xml.
3. Resource related exceptions: Like file not found. Network error etc.

Handling exceptions:
Throw early catch late:
Catch late means catch it where you can deal with it meaning fully.

Better - Create a Custom exception class - should have
- What went wrong,
- Where it went wrong.
- data to help debugging.

Logging - what to log:
- Log input validation failures.
- Change in state and all operations on objects.
- Do not log sensitive data.

- HTML data should be escaped as html entities.
- URL parameters should be url encoded (not url -parameters only)
- HTML attributes should he hex encoded.
- Dynamic javascript should be hex encoded.
- CSS should be \xx encoded and it might still not be safe ( so dont do it)
- JSON  Embeded on page should be html encoded and decoded before parsing.